Detecting Coercive Lures with OCR

Posted on 2020-05-12 by Josiah Smith
InQuest Deep File Inspection (DFI) utilizes machine vision and optical character recognition (OCR) to identify the social engineering component of a variety of malware lures. This is one of the myriads of techniques that we employ to detect novel malware that may leverage previous unseen and undetectable tactics. Acknowledging that phishing is still the predominant access vector for threat actors to carry out their attacks, it is irresponsible to think that it is possible to "Squish the Phish" or get that "click rate" down to zero. In respect to the colloquial security proverb, "Prevention is ideal, but detection is a must", InQuest has been following a variety of different techniques used in malicious documents. On a consistent basis, threat actors are trying to convince the unbeknownst user into "enabling macros" or "enabling content" in order to progress down the attack chain. Typically, these documents contain a macro called "Auto_Open" or "Document_Open", but it could really be any one of a dozen or so canonical names that cause Microsoft Office to automatically execute the macro once the document is opened.
Fig 1. Coercion Lure. 4bda1925f9a18e879eec373263b37ae20581403777bbdf899ca8ba1ae3cefbc9
Over the last two years, we have published technical blogs covering in-depth analysis on some techniques used within these maldocs. Generally, they had low AV detection rates and were vehemently obfuscated to cause frustration to analysts and security products.
  • [Extracting "Sneaky" Excel XLM Macros](https://inquest.net/blog/2019/01/29/Carving-Sneaky-XLM-Files)
  • [Getting Sneakier: Hidden Sheets, Data Connections, and XLM Macros](https://inquest.net/blog/2020/03/18/Getting-Sneakier-Hidden-Sheets-Data-Connections-and-XLM-Macros)
  • [ZLoader 4.0 Macrosheets Evolution](https://inquest.net/blog/2020/05/06/ZLoader-4.0-Macrosheets-Evolution)
    • One successful InQuest signature, "Document Containing Macro Execution Coercion", is described as Microsoft Office document malware carriers that attempt to coerce the user into activating malicious content through on-screen instruction. In some environments, macros are disabled within Microsoft Office, and therefore malicious macros will not be executed by default. Threat actors use different types of lure messages in an attempt to convince users to enable macros so malicious code can be executed. The severity of this event will increase in the presence of other alerts, for example, those pertaining to automatic macro execution, obfuscation, and other suspicious attributes.

    Value of OCR

    There is appreciable value returned when combining OCR with the DFI process. After the OCR strips the text from the images, de-facto or user-defined threat detection signatures can alert on the text from within the image. For example, deduced text strings in the form of "enable content " or "office version isn't compatible" are frequently used in these documents. Of note, another use case in this scenario could be data-loss detection identifying PII, PHI, PCI, or other sensitive information InQuest Labs consistently sources the strings found in these lures to keep our signatures up to date. Our user base and in-house security engineers have been commenting on the consistent success with this detection technique.
    Fig 2. OCR Derived Text.

    Tracking Graphical Assets Based on XMP IDs

    InQuest has been tracking the graphical assets used in the malicious documents using Adobe Extensible Metadata Platform (XMP) identifiers (IDs). As described in [Adobe XMP: Tales of an Overlooked Anchor](https://inquest.net/blog/2019/09/30/Adobe-XMP-Tales-of-an-Overlooked-Anchor), the hashes / GUIDs are used as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. The following list of XMP IDs was harvested from the most common graphical lure templates: 
    
    037efa89-9f85-d141-bdcb-7fc208a9471f
    25720195-077c-684a-b376-ddb0eec9490d
    4da1efc4-3be3-db47-ad6a-94bef19999d7
    5a11ba92-5aa2-dd4c-9428-76c6845a42e9
    7d130047-163d-7c4b-ad85-c450be72e18e
    8044e5c8-00df-004b-a352-8ad4178136bf
    9cb60a7b-deba-d647-b8f5-5940685d2ab5
    baebffad-e645-e048-95f1-302ea6696408
    ce1f5951-83ee-0949-a431-1a7ed96b5005
    cf388654-c5b4-264f-b9bf-723c838a6b4d
    e48fd268-0a9f-cb49-b560-b2b7bd429157
    faf5bdd5-ba3d-11da-ad31-d33d75182f1b
    Note that the above happen to be all in GUID format, but hash format is plausible as well.

    Gallery of Common Graphical Lure Templates

    The following gallery of lures was harvested from a variety of malware samples collected over the past 30 days. Common among these lures is that they all capable of evading common detection stacks.
    Fig 3. 6bd1f68f097c7ad45edbc1038b7ecdbaab7755c1f5dcd314f9d0c72905daf1da
    Fig 4. 3ca2e33efbca17cd1ef1aa5152e7d84bb0bb2d597e70c7265f473fc2089d40ef
    Fig 5. 0cea6df5c4d704c6ed962864ea64f453dd13b582f22033e0e1487bd104763cf0
    Fig 6. 3a8228f70497cc4d49992ef3fd29ffafd9da7dd9832464fa44b98793d0b19d5e
    Fig 7. 8b9eeb92cc9a37e862c59a0fa8afeb54a7be15de3a897c71f7f3f0c871662759e
    Fig 8. 8e8da1dd35fcb845d2beb3fcae2ad92520b9c7fcbfab05a1eed919f7a6b08fc0
    Fig 9. 130439d9b8a66117b05587c50710be9d35e765139086c73f9d2190a8602bfec5
    Fig 10. 482a0d6e274186c70435c4b3c198797c25b2b6657a0bf400090c7989bb87142f
    Fig 11. bd97cd47caf2c1d33964b38a8113fd9fc35f5ac557b69c7abe27da7bfd04c77f
    Fig 12. c5ec102aa7fe27ca05d4fe532c79fbb1e623fed6273eb00f46e792a4e267a3ef
    Fig 13. 820832fd5c46c67d1913f023ec8dbe21e3e69d753af5e56b6c3088fd1c56ac6a
    Fig 14. bcb00b6f67396126e1c2f0edd745e3589d10aeae0f744161d6c576312affdd96
    Fig 15. 1e6891472de82be04e4cf9177bdc68b59b22e72aaef1d6a4aa31892463902f09

    IOCs

    Adobe XMP IDs

    • 037efa89-9f85-d141-bdcb-7fc208a9471f
    • 25720195-077c-684a-b376-ddb0eec9490d
    • 4da1efc4-3be3-db47-ad6a-94bef19999d7
    • 5a11ba92-5aa2-dd4c-9428-76c6845a42e9
    • 7d130047-163d-7c4b-ad85-c450be72e18e
    • 8044e5c8-00df-004b-a352-8ad4178136bf
    • 9cb60a7b-deba-d647-b8f5-5940685d2ab5
    • baebffad-e645-e048-95f1-302ea6696408
    • ce1f5951-83ee-0949-a431-1a7ed96b5005
    • cf388654-c5b4-264f-b9bf-723c838a6b4d
    • e48fd268-0a9f-cb49-b560-b2b7bd429157
    • faf5bdd5-ba3d-11da-ad31-d33d75182f1b

    Selected Malicious Document Hashes

    • 0090e624ffc2118731d55fc87660b78977b3f8c975006b1e58df03e8a134cc4f
    • 01b9b8580230a33a84fa39cf8238fef4d428cd9cf83f9acfb449626ee5b8ea8c
    • 085f24ef9e41fec40b75dee7b0e60b224b7391c2affd09f9c92f7a9b6b212acd
    • 0a3f4bef77abc93874f79e197e9c99c68b4bd381a65b5a027843c9f789d4dab2
    • 0a4796f99b42925351f3e135e4ca229328970c06cfcb2294e9aa8c58c33ae986
    • 0b39948f16ff05f5cd0e0b5d87ee426a671c520affa09ad0c33a612e76643a1c
    • 0cea6df5c4d704c6ed962864ea64f453dd13b582f22033e0e1487bd104763cf0
    • 0f52267f087eb6c00daf328f145368e495ccf8252ed84699c5f2d3a4203d8708
    • 10f79daf80a8c4c608fb6cfa7e1d7764dbf569a9a15832174225dda3c981062a
    • 11fc0f16f456946282c045a7de6d82b1da373e49de58ff9ad654336b2fb1bf0f
    • 130439d9b8a66117b05587c50710be9d35e765139086c73f9d2190a8602bfec5
    • 18bdfc5c088f91cced4ce7cc9c5318e6708d67d34795602ca16cd195c7cd6ee6
    • 192dd15885d20c08857696b166473222fe4530435571140f9d9533a18c8ddf02
    • 1e6891472de82be04e4cf9177bdc68b59b22e72aaef1d6a4aa31892463902f09
    • 2286ce89fd4613b3f2eb7b0bcdf3a522dae0e52cd090916eecf62101f583d048
    • 22bb1293cfd109d0b8bd44d410f379deb8c4d02b095552b8954c6a75e5bc9ae9
    • 22dd30e15c6d7dd29067bb53b4b150ebbc554252378849dcc9ae1970fa32cc1f
    • 23d1e476ab099fff5d1287553f6e7ba7e1c305273fe05cedb5ab6fe8b589705f
    • 24f3c1c8a602cba6c1d78da4d36b9ed4809df06f7a0fc600c00a857de66f3323
    • 250593c7b94207d44befaa3d457f7a064bb639b136156f84828499eb6c0cab97
    • 259c7d38efbbce4a257d81b0fce295e392df9871db5c20c2269fda075c8a1a92
    • 2aa9e690895bd08efe0bc1ea961e03f99fd366ac488464c1c7925523172cfaee
    • 2b22881fd9d6a6b9a5298d49a38e0a384908bcae5fa47f66cf598d9b5e4a3a60
    • 2c84f218b0bee656b281a78a690bbe205f7c5c9b77446b16594de4fcb57aa067
    • 2d99567edd88a1e416ace504bd53ee0d2ec066cb437b5e9bdad2e0df0f97c3c9
    • 2dcfcf26cc5e5eac92bab1c1aff23be2aa5b4ff7031e97f223e5f01733f0db89
    • 33e93041186f28aad4f1e1d35a964c64b8fc85e6ab91697403bc0855a1f8731a
    • 34827d5bafd27dbfb9bf7bb91fd92c4080bb6bbbf66d18aff59a4af25e53d73b
    • 376598891290376013cbd6b52aea997652384ff1c0f27ea513b1505820cb1e22
    • 3a0ea7cef74d93a40c10720357e7aef0967316239d1d8ea54dc0019dbc2c4d74
    • 3a8228f70497cc4d49992ef3fd29ffafd9da7dd9832464fa44b98793d0b19d5e
    • 3bf6f90de075923cf8293fc5c2bb4f2771c4692bbebd7729d75c3d9ba44269f9
    • 3ca2e33efbca17cd1ef1aa5152e7d84bb0bb2d597e70c7265f473fc2089d40ef
    • 3f16b1c889e2fcbbf96fb32693c712dc322b7c72e1092da42c5bddf079012610
    • 4047b864c37d3ae4c0a37375e302497ee575291c28255d8bb41d83f0d1cbbad1
    • 40c3aff7560f36a51e43f82c5f3370aa1b8b7488742c449e0f66c21f30537cde
    • 4224fcb79b6e63a774b4bddc9cb00179a63feee5462b885dc2b264094125a0b3
    • 428b7024a14e1e76c4fe208ac21d2b37abdea57f362dd448c487dfcfc74e890f
    • 42a06bea1a8b433334ad366d6725617e0324f242b6ee980785cc1218131f1cfd
    • 43b9aabc7eeb1bcf91613fd0ad714763f5c9c65cd876d1d69293e15af03d8fa6
    • 44e444fa117c502b123341d656070331a51e1b77f9248763a4a162412c0ced03
    • 482a0d6e274186c70435c4b3c198797c25b2b6657a0bf400090c7989bb87142f
    • 4bda1925f9a18e879eec373263b37ae20581403777bbdf899ca8ba1ae3cefbc9
    • 4e105f96511b17aab8bbf9d241a665b466e4d0c4dd93af83710ec6423ceb1b0f
    • 50aa8976ec692e058bc525d49465329c6380537f53669058d1542b94eef68128
    • 52b126783b654905df5b7bea881bc3f5be217eee7fe86c9f07be33a4c950aebb
    • 548a2ce5ca5f3f629cf524d360b32f4e04d21b57940dbb228c145ca871097c3c
    • 5842d4b3210c23fca22b69e34c146a48bfff0affc6313ee6fc45b8a3430d8f61
    • 5b1fdd5e3779798bddd5da83554c6439467078643344bafe0bd464f4012522b4
    • 5bb1d5270278636fb023b3f0723979929c059f4133c5b1261baf1f5d7badf19f
    • 6654a38cba97469680b916233fa9e3a2cf97a1f6f043def9c76a64fb285f32de
    • 67543367d8fda211437a189fcb2836a6e9dff3feb1857c4bcc30286f04fb7ff4
    • 67a46a7954361ad55be59ce6102d57659c4ca53790005f124953a836801ae86d
    • 68eae8d9e9801d1abccb39d3fd3b8f717829fae26627e53a8f6b5eb503c320be
    • 6bb1db6ccae5c31599543bad4d66af13c45cbcaffdfb26bdae1b8c142f5445b8
    • 6bd1f68f097c7ad45edbc1038b7ecdbaab7755c1f5dcd314f9d0c72905daf1da
    • 6c1bba12d0aa52b3cb797a2c601125b551e4209d17d3ab6a3340ecfeed3a2b93
    • 6c37e808baa98b5a247c555bb64d56d55fe2bafc49b1c279b7b396c5fd739937
    • 6c45602c1c35a68d5a070d9e4af6c11f87c813115f3463bfdc3c04c83f270468
    • 6d0d10d8197389db11c5d894a9da37f2ecfde174cd5aa8ac180a80bbff02c0d3
    • 6fc10a3cd47f8d5a77029b458c620a743f105b8b105b95babdc047269a01e05d
    • 72013b5ec3069a1f62b2b1e1baf22e5639b15eb673501d2887132434736f6500
    • 76ea3dae6b913f7baeef516dfc513c7d73c9edb8ff80e456aec98b8529850529
    • 77972c1847fc9608a484d72290b42de918074e33864fc3d5906d5e296c0cf725
    • 7a151b7d2205529e22b8e14c630356ff3348980d83a634c4bb333357cecaeb4a
    • 820832fd5c46c67d1913f023ec8dbe21e3e69d753af5e56b6c3088fd1c56ac6a
    • 8219230fc42e44321cdb0ff3bbcd3edd204e66b7d855b7f1cd6f555141a4deaa
    • 85d35e707e1870a1f250a26d919aea933be0db66ef95d2060c7ea2f3a63518c2
    • 86a237d0a5fac77fd8efda3a150cd1ce3ca2eb6afb5f1096f8f344864de799c2
    • 8b9eeb92cc9a37e862c59a0fa8afeb54a7be15de3a897c71f7f3f0c871662759
    • 8e8da1dd35fcb845d2beb3fcae2ad92520b9c7fcbfab05a1eed919f7a6b08fc0
    • 8f0133ee567962684876ea09deba6b25e4cf1e27e3fe23389758bd7065728346
    • 8f6d5f64adcfd32e74eaa3a9e376385c59f7ce41d0cb215e0d22b6f44235c0e9
    • 9519045db67aaa9a713e39d47787d59e7b4df67ae99fd5dbaa98ad8679ae3d9c
    • 955d59e66e24b4585dd044b1576f03ff0e6d8306397766420806979475eededd
    • 97489f14edf02081943ba6bdc4f8ddc61b489c2d114eff2fc560f6225f3c8907
    • 9bcf6185b2a46d17bbe247e5c33586eb8eaec7eefa385cd5a6ea3058a145faad
    • 9d2cb014ef6a4d99fcd11a3ba9077d4846af8cc83cc68a750fd87ba209a200b0
    • 9ee1e7d2e45509c0214ace51b05b3785d57be57a098abd5b55b447770d14629d
    • a487f2535ae50af16fa5eb852968fbd40543842009f1fd6790f194cad96b8b76
    • aa22a09ab200d4f75c1661201560831a26d575137c4c4ae454f7a438d590d459
    • aa6e5b1d271c955596b36671d729837bfa0162cf71c0f1d7649475dc5440a12c
    • ab4d15596adb228e4e1cf74fb07797fc219222da9892830d7fcc5ad82c713507
    • abe03a6f900f0bf57ca6385013cc828354732f08b961bbf1dad5d0126e4e78bc
    • add4e403e0a508a08f82e74e6079fbed86cf2f31f47db61697efbc6d52c72a99
    • b2a1d41b23011262e9ad3557485fcbd6ef3cab71d74e6df1965c93c5bd85ddd4
    • b92e653d98b47517287e2e5e231705988fe45c4ab2b549ee36ed59dabf8e7f17
    • bcb00b6f67396126e1c2f0edd745e3589d10aeae0f744161d6c576312affdd96
    • bd97cd47caf2c1d33964b38a8113fd9fc35f5ac557b69c7abe27da7bfd04c77f
    • c44f65a7af5bda38bd243ccb9183aee20bb918bc5cc8ada8d78623f7ccde85cb
    • c5ec102aa7fe27ca05d4fe532c79fbb1e623fed6273eb00f46e792a4e267a3ef
    • cb34aabdfeeabf0bb1e68bc798744c3e975d336b540d0b8faf7b96af41b3410c
    • d48a23e5e34c5733af48485cf77223f825557bd8aeab349f805550b5d8e3cacc
    • dba362bc8a4a2e46ba1e4bb3ac851a32b23ff33765cce8cf45a3c2e28a0ab7bc
    • e468618f7c42c2348ef72fb3a733a1fe3e6992d742f3ce2791f5630bc4d40f2a
    • e4acd07330916aab8e489e987c091d859810df3e6d9e17f8165473256519a427
    • e7fd926110b80a3498b7d06672df208e9d46b942e08b230af773508abaff6643
    • e90fe814adf85a4706c585237c7877139f6bdf9b08e5c21442f93e081c07797a
    • ef61a66ace3a55845863b6aee7da8676fe741ded0d6b0dea2952a31915dc978d
    • f088a5262f3d113f2eb373b083d6167729fb724980b9d187bd4c2124bb60e14c
    • f4e43a4ef567bf7f3c057478f6eaefb62f7ef57e76bce2275e3eb536be942480
    • f550bd94aa1f22989b4f3057f862af428dd5e8f8db7ff945f1b43aca83706e53
    • ffb6ba6e8f545b4a349d5dc8de18933d2036536135dc6b9718caec3050146baa
    Please note that all of the above samples are available for download from InQuest Labs.
    field-notes labs deep-file-inspection